When apparmor is pointed at a symlink, it doesn't guard execution of the
target of that symlink. But when apparmor is pointed to an executable
that has symlinks, execution of those symlinks IS guarded. Therefore, we
dereference symlinks to executables before putting them in the apparmor
template.